What is claimed is: 

1. A method of grouping network events, comprising: 

receiving a stream of network events, each network event including a set of event 
parameters in association with a network session that corresponds to a message being 
transmitted through a network; 

for a network event in the stream, making an initial session determination by 
determining whether the event belongs to a same network session as any previously received 
event; 

for the network event, identifying information of network address translations 
performed by one or more devices along a network transmission path associated with the 
network event; 

categorizing the network event in accordance with at least one of the session 
determination and the network address translation information; and 
at a predefined time, 

processing a categorized network event to identify another categorized 
network event, if any, belonging to a same network session as the categorized network event; 

grouping the categorized network event and the identified other categorized 
network event, if any, into a set; and 

assigning a unique identifier to the set of events that includes the categorized 

network event. 

2. The method of claim 1, wherein the set of event parameters include source address, 
source port, destination address, destination, port, and network protocol. 

3. The method of claim 1, wherein said network session is a communication channel 
established between a source host and a destination host over a network. 

4. The method of claim 1, wherein the initial session determination includes comparing 
the event parameters of a newly received network event with the event parameters of any 
previously received network event, and if there is a match, the newly received event belongs 
to a same network session as those previously received matching events. 

5. The method of claim 1, wherein each of said one or more devices is associated with at 
least one network address translation rule, each rule comprising a pre-mapping parameter 
domain and a post-mapping parameter domain for one or more event parameters. 
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6. The method of claim 5, wherein the pre-mapping and/or post-mapping domains of 
two network address translation rules may overlap each other. 

7. The method of claim 1, wherein said identifying includes 

identifying a first network address translation rule associated with a first device, if 
any, on a network transmission path whose pre-mapping parameter domain contains the 
parameters of the network event; 

estimating a first set of event parameters contained in the post-mapping parameter 
domain of the first rule after applying the first rule to the network event; 

identifying a second network address translation rule associated with a second device, 
if any, on a network transmission path whose post-mapping parameter domain contains the 
parameters of the network event; and 

estimating a second set of event parameters contained in the pre-mapping parameter 
domain of the second rule after applying the second rule to the network event. 

8. The method of claim 1, wherein said categorizing includes 

associating the network event with any previously received event in accordance with 
the initial session determination result; and 

associating the network event with any previously received event in accordance with 
the network address translation information obtained in said identifying 

9. The method of claim 1, wherein the predefined time is associated with a network 
event. 

10. The method of claim 1, wherein the categorized network event and the identified 
other categorized network event belong to different categories during said categorizing. 

11. The method of claim 1, wherein said processing is performed in accordance with the 
identified network address translation information for the network transmission path 
associated with the network event. 

12. The method of claim 1, wherein said processing is performed in accordance with 
network address translation information received after arrival of the categorized network 
event. 

13. A network event grouping system, comprising: 



11353-004-999 



- 19- 



CAl: 347222.1 



one or more central processing units for executing programs; 
an interface for receiving network events; and 

a network event correlation engine module executable by the one or more central 
processing units, the module comprising: 

a plurality of data structures for storing a stream of network events, each 
network event including a set of event parameters in association with a network session that 
corresponds to a message being transmitted through a network; 

instructions for establishing a correlation when a network event in the stream 
belong to a same network session as another network event in the stream; 

instructions for identifying information of network address translations 
performed by one or more devices along a network transmission path associated with a 
network event; 

instructions for categorizing a network event in the stream in accordance with 
the event's network session relationship and/or the event's network address translation 
information; and 

instructions for invoking a categorized network event at a predefined time, 
wherein invoking comprises processing the categorized network event to identify another 
categorized network event, if any, belonging to a same network session as the categorized 
network event, grouping the categorized network event and the identified other categorized 
network event, if any, into a set, and assigning a unique identifier to the set of events that 
includes the categorized network event. 

14. The system of claim 13, wherein the set of event parameters include source address, 
source port, destination address, destination, port, and network protocol. 

15. The system of claim 13, wherein said network session is a communication channel 
established between a source host and a destination host over a network. 

16. The system of claim 13, wherein the instructions for establishing a correlation include 
comparing the event parameters of a newly received network event with the event parameters 
of any previously received network event, and if there is a match, the newly received event 
belongs to a same network session as those previously received matching events. 
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17. The system of claim 13, wherein each of said one or more devices is associated with 
at least one network address translation rule, each rule comprising a pre-mapping parameter 
domain and a post-mapping parameter domain for one or more event parameters. 

18. The system of claim 17, wherein the pre-mapping and/or post-mapping domains of 
two network address translation rules may overlap each other. 

19. The system of claim 13, wherein said identifying instructions include 
identifying a first network address translation rule associated with a first device, if 

any, on a network transmission path whose pre-mapping parameter domain contains the 
parameters of the network event; 

estimating a first set of event parameters contained in the post-mapping parameter 
domain of the first rule after applying the first rule to the network event; 

identifying a second network address translation rule associated with a second device, 
if any, on a network transmission path whose post-mapping parameter domain contains the 
parameters of the network event; and 

estimating a second set of event parameters contained in the pre-mapping parameter 
domain of the second rule after applying the second rule to the network event. 

20. The system of claim 13, wherein said categorizing instructions include 
associating the network event with any previously received event in accordance with 

the initial session determination result; and 

associating the network event with any previously received event in accordance with 
the network address translation information obtained in said identifying 

21. The system of claim 13, wherein the predefined time is associated with a network 
event. 

22. The system of claim 13, wherein the categorized network event and the identified 
other categorized network event belong to different categories during said categorizing. 

23. The system of claim 13, wherein said processing is performed in accordance with the 
identified network address translation information for the network transmission path 
associated with the network event. 
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24. The system of claim 13, wherein said processing is performed in accordance with 
network address translation information received after arrival of the categorized network 
event. 

25. A computer program product for use in conjunction with a computer system, the 
computer program product comprising a computer readable storage medium and a computer 
program mechanism embedded therein, the computer program mechanism comprising: 

instructions for receiving and storing a stream of network events, each network event 
including a set of event parameters in association with a network session that corresponds to 
a message being transmitted through a network; 

instructions for establishing a correlation when a network event in the stream belong 
to a same network session as another network event in the stream; 

instructions for identifying information of network address translations performed by 
one or more devices along a network transmission path associated with a network event; 

instructions for categorizing a network event in the stream in accordance with the 
event's network session relationship and/or the event's network address translation 
information; and 

instructions for invoking a categorized network event at a predefined time, wherein 
invoking comprises processing the categorized network event to identify another categorized 
network event, if any, belonging to a same network session as the categorized network event, 
grouping the categorized network event and the identified other categorized network event, if 
any, into a set, and assigning a unique identifier to the set of events that includes the 
categorized network event. 

26. The computer program product of claim 25, wherein the set of event parameters 
include source address, source port, destination address, destination, port, and network 
protocol. 

27. The computer program product of claim 25, wherein said network session is a 
communication channel established between a source host and a destination host over a 
network. 

28. The computer program product of claim 25, wherein the instructions for establishing a 
correlation include comparing the event parameters of a newly received network event with 
the event parameters of any previously received network event, and if there is a match, the 
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newly received event belongs to a same network session as those previously received 
matching events. 

29. The computer program product of claim 25, wherein each of said one or more devices 
is associated with at least one network address translation rule, each rule comprising a pre- 
mapping parameter domain and a post-mapping parameter domain for one or more event 
parameters. 

30. The computer program product of claim 29, wherein the pre-mapping and/or post- 
mapping domains of two network address translation rules may overlap each other. 

31 . The computer program product of claim 25, wherein said identifying instructions 
include 

identifying a first network address translation rule associated with a first device, if 
any, on a network transmission path whose pre-mapping parameter domain contains the 
parameters of the network event; 

estimating a first set of event parameters contained in the post-mapping parameter 
domain of the first rule after applying the first rule to the network event; 

identifying a second network address translation rule associated with a second device, 
if any, on a network transmission path whose post-mapping parameter domain contains the 
parameters of the network event; and 

estimating a second set of event parameters contained in the pre-mapping parameter 
domain of the second rule after applying the second rule to the network event. 

32. The computer program product of claim 25, wherein said categorizing instructions 
include 

associating the network event with any previously received event in accordance with 
the initial session determination result; and 

associating the network event with any previously received event in accordance with 
the network address translation information obtained in said identifying 

33. The computer program product of claim 25, wherein the predefined time is associated 
with a network event. 
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34. The computer program product of claim 25, wherein the categorized network event 
and the identified other categorized network event belong to different categories during said 
categorizing. 

35. The computer program product of claim 25, wherein said processing is performed in 
accordance with the identified network address translation information for the network 
transmission path associated with the network event. 

36. The computer program product of claim 25, wherein said processing is performed in 
accordance with network address translation information received after arrival of the 
categorized network event. 
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